Reports
Actions for Service NSW's handling of personal information
Service NSW's handling of personal information
The Auditor-General for New South Wales, Margaret Crawford, released a report today examining the effectiveness of Service NSW’s handling of customers’ personal information to ensure its privacy.
The audit found that Service NSW is not effectively handling personal customer and business information to ensure its privacy. Service NSW continues to use business processes that pose a risk to the privacy of personal information. This includes the routine emailing of personal information between Service NSW service centres and other agencies, which is one of the processes that contributed to the data breach earlier this year. The audit found that previously identified risks and recommended solutions had not been implemented on a timely basis.
The Auditor-General made eight recommendations aimed at ensuring improved processes, technologies, and governance arrangements for how Service NSW handles customers’ personal information.
The Hon. Victor Dominello, MP, Minister for Customer Service, requested this audit under section 27(B)(3)(c) of the Public Finance and Audit Act 1983 following public reports in May 2020 of a cyber security attack which had led to a breach of Service NSW customer information. This audit also included the Department of Customer Service which supports Service NSW with privacy, risk and governance functions.
Service NSW was established in 2013 with the intention that it would, over time, 'become the primary interaction point for customers accessing New South Wales Government transaction services'.
Service NSW's functions are set out in the Service NSW (One stop Access to Government Services) Act 2013. This legislation allows for other NSW Government agencies to delegate to and enter into agreements with the Chief Executive Officer of Service NSW in order for Service NSW to undertake service functions for the agency.
Service NSW now has agreements with 36 NSW Government client agencies to facilitate over 1,200 types of interactions and transactions for the community.
The nature of each agreement between Service NSW and its client agencies varies. Some client agencies have delegated authority to allow Service NSW staff to conduct transactions on their behalf in the agencies' systems. Other arrangements do not include the same degree of delegation. In these cases, Service NSW provides services such as responding to enquiries and validating documents.
In addition, Service NSW conducts transactions for its own programs, such as the Seniors Card. Personal information for these programs, as well as information for customers' MyServiceNSW accounts, are stored by Service NSW on its Salesforce Customer Relationship Management (CRM) system.
In March 2020, Service NSW suffered two cyber security attacks in short succession. Technical analysis undertaken by the Department of Customer Service (DCS) concluded that these attacks resulted from a phishing exercise through which external threat actors gained access to the email accounts of 47 staff members. These attacks resulted in the breach of a large amount of personal customer information that was contained in these email accounts. See Section 1.1 for further details.
This audit is being conducted in response to a request from the Hon. Victor Dominello, Minister for Customer Service, under section 27B(3)(c) of the Public Finance and Audit Act 1983. Minister Dominello requested that the Auditor General conduct a performance audit in relation to Service NSW's handling of sensitive customer and business information.
This audit assessed how effectively Service NSW handles personal customer and business information to ensure its privacy.
It addressed the following:
- Does Service NSW have processes and governance in place to identify and manage risks to the privacy of personal customer and business information?
- Does Service NSW have policies, processes and systems in place that support the effective handling of personal customer and business information to ensure its privacy?
- Has Service NSW effectively implemented its policies, processes and systems for managing personal customer and business information?
ConclusionService NSW is not effectively handling personal customer and business information to ensure its privacy. It continues to use business processes that pose a risk to the privacy of personal information. These include routinely emailing personal customer information to client agencies, which is one of the processes that contributed to the March 2020 data breach. Previously identified risks and recommended solutions had not been implemented on a timely basis.Service NSW identifies privacy as a strategic risk in both its Risk Management Guideline and enterprise risk register and sets out a zero level appetite for privacy risk in its risk appetite statement. That said, the governance, policies, and processes established by Service NSW to mitigate privacy risk are not effective in ensuring the privacy of personal customer and business information. While Service NSW had risk identification and management processes in place at the time of the March 2020 data breach, these did not prevent the breach occurring. Some of the practices that contributed to the data breach are still being followed by Service NSW staff. For example, business processes still require Service NSW staff to scan and email personal information to some client agencies. The lack of multi factor authentication has been identified as another key contributing factor to the March 2020 data breach as this enabled the external threat actors to gain access to staff email accounts once they had obtained the user account details through a phishing exercise. Service NSW had identified the lack of multi factor authentication on its webmail platform as a risk more than a year prior to the breach and had committed to addressing this by June 2019. It was not implemented until after the breach occurred. There are weaknesses in the general IT and security controls implemented by Service NSW over its Salesforce Customer Relationship Management (CRM) system, which holds the personal information of over four million NSW residents.Internal audits carried out by Service NSW, including one completed in August 2020, have identified significant weaknesses in the general IT and security controls implemented by Service NSW over its Salesforce CRM system. These include deficiencies in the management of role based access, monitoring and audit of user access, and partitioning of program specific transaction information. These deficiencies create an increased risk of unauthorised access to the personal information of over four million customers held in the system. Lines of responsibility for meeting privacy obligations are not clearly drawn between Service NSW and its client agencies.Service NSW has agreements in place with client agencies. However, the agreements lack detail and clarity about the roles and responsibilities of the agencies in relation to the collection, storage and security of customer's personal information. This lack of clarity raises the risk that privacy obligations will become confused and missed between the agencies. Service NSW carries out privacy impact assessments for major new projects but does not routinely review existing processes and systems.Service NSW carries out privacy impact assessments as part of its routine processes for implementing major new projects, ensuring that privacy management is considered as part of project design. Service NSW does not regularly undertake privacy impact assessments or reviews of existing or legacy processes and systems, which has resulted in some processes continuing despite posing significant risks to the privacy of personal information, such as the scanning, emailing, and storing of identification documents. |
1. Key findings
Service NSW identifies privacy risks, but the controls and processes it put in place to mitigate these privacy risks were not adequate to prevent or limit the extent of the data breach that occurred in March 2020
Service NSW’s approach to risk management is framed by its Risk Management Guideline, which defines 'privacy and compliance' as one of the key types of risk for the agency. Service NSW's enterprise risk register identifies four strategic privacy related risks. Service NSW has set out a zero level appetite for privacy risk in its risk appetite statement.
Service NSW has assessed the adequacy of its controls for privacy risks as needing improvement. To be fully effective, the Risk Management Guideline says that these controls should have a focus that is ‘largely preventative and address the root causes’.
One of the business processes that was a key contributing factor to the data breach was the emailing of personal information by Service NSW staff to client agencies.
This process had been identified as a risk prior to the breach and some steps had been put in place to mitigate the risk. In particular, staff were required to manually delete emails that contained personal information. However, these measures were ineffective in preventing the breach, as the external threat actors still gained access to 47 staff email accounts that contained a large amount of personal information.
It is unclear why Service NSW did not effectively mitigate this risk prior to the breaches. However, Service NSW has advised that it implemented measures in June and October 2020 to automatically archive emails likely to contain personal information. This is expected to limit the quantity of information retained in email accounts for extended periods.
Service NSW has not put in place any technical or other solutions to avoid Service NSW staff having to scan and email personal information to some client agencies. Urgent action is needed to remove the requirement for staff to email personal information to client agencies, thereby mitigating the risk inherent in sending and storing this information using email.
There are weaknesses in the general IT and security controls implemented by Service NSW over its Salesforce CRM system, which holds the personal information of over four million customers
There are weaknesses in the general IT and security controls implemented by Service NSW over its Salesforce CRM system. These weaknesses include deficiencies in governance of role based access, monitoring and audit of staff access, and partitioning of program specific transaction information. These deficiencies create an increased risk of unauthorised access to the personal information of over four million customers which is stored in this system.
In addition, there is an absence of important controls to safeguard customers' privacy, such as multi factor authentication and reviewable logs of access history to their information. Such controls, when properly implemented, would enhance the control that customers are able to exercise over their personal information.
A privacy impact assessment conducted on Service NSW’s Salesforce CRM system in 2015 recommended that the system include the ability for customers to review access history to their personal information, as well as the option for customers to apply multi factor authentication to their accounts. While both these recommendations appeared positively received by Service NSW, neither have been implemented.
Since its inception, Service NSW’s use of Salesforce has extended to storing transaction data, particularly for transactions for which Service NSW is responsible, such as the Seniors Card. It also holds details of over four million MyServiceNSW account holders, including name, email address and phone number, and optional address details. It was not originally intended for the system to hold this volume and nature of customer information.
Lines of responsibility for meeting privacy obligations are unclear between Service NSW and its client agencies
Service NSW's privacy management plan does not clearly set out the privacy obligations of Service NSW and its client agencies. It sets out that 'compliance with the privacy principles will primarily be the responsibility of that [client] agency'. However, Service NSW has its own obligations under the security principles of the Privacy and Personal Information Protection Act 1998 (PPIP Act) to take reasonable steps to prevent unauthorised access to personal information, which is not made clear in the privacy management plan.
The agreements between Service NSW and client agencies reviewed for this audit only include general and high level references to privacy. Most do not include details of each parties' privacy responsibilities such as: which agency will provide the customer with a privacy notice explaining how their personal information will be handled, how personal information will be kept secure, how long Service NSW will retain information, what processes will be followed for internal reviews, and what specific planning is in place to respond to data breaches.
Service NSW's privacy management plan has not been updated to include new programs and governance changes
Service NSW's privacy management plan includes most of the matters required by law or good practice, with some exceptions. It does not explain any exemptions that the agency commonly relies on under the PPIP Act and does not address any health information that Service NSW may handle. It had also not been updated to reflect governance changes and the fact that, at the time this audit commenced, Service NSW was disclosing the content of internal review applications (the formal expression for 'complaints') to the Department of Customer Service (DCS). These governance changes were part of the centralisation of Service NSW's corporate support functions into DCS in late 2019, though internal review staff were seconded back into Service NSW during the course of this audit.
The current July 2019 privacy management plan has also not been updated since the rollout of a number of major new initiatives in 2020. These include 2019–20 bushfire emergency recovery initiatives (such as small business grants) and COVID 19 pandemic response initiatives (such as small business grants, border permits and the COVID safe check in app).
Service NSW routinely conducts privacy impact assessments for new initiatives, though privacy risks remain in legacy systems and processes
Service NSW routinely conducts privacy impact assessments for major new initiatives and the assessments reviewed for this audit largely accorded with good practice guidance.
Service NSW does not routinely review existing processes and systems to ensure that they are effective in ensuring the privacy of customer personal information. Business processes that create the highest risk to privacy, such as emailing of personal information, are more common in these longstanding legacy systems.
Service NSW's significant and rapid growth has outpaced the establishment of a robust control environment which has exacerbated privacy risks
Since it was established in 2013, Service NSW has experienced significant growth in the number and diversity of the types of transactions it provides, as well as the number of client agencies with which it works. The pace and extent of this growth has contributed to important controls not being properly implemented on a timely basis, which has heightened privacy risks, particularly in regard to existing, legacy systems and processes.
The pace of change and increasing demand for new program implementation has limited the opportunity for Service NSW, in collaboration with its client agencies, to revisit and redesign legacy business practices which pose a greater privacy risk. This includes the scanning and emailing of personal information.
While 2019–20 has seen additional demands placed on Service NSW in responding to the 2019–20 bushfire emergency and COVID 19 pandemic, it is the nature of the agency’s work that it operates in a fast paced and complex environment, where it is required to respond to multiple client agencies and stakeholders. Ensuring customer privacy should be integral to Service NSW’s business as usual operations.
2. Recommendations
Service NSW commissioned a number of external reviews and investigations stemming from the data breaches. The Auditor General's recommendations below have taken these other reviews into account. In order to offer assurance that it is appropriately protecting the privacy of its customers, Service NSW should address the full breadth of findings and recommendations made across all relevant reviews.
As a matter of urgency, Service NSW should:
1. in consultation with relevant client agencies and the Department of Customer Service, implement a solution for a secure method of transferring personal information between Service NSW and client agencies
2. review the need to store scanned copies of personal information and, if still required, implement a more secure method of storing this information and regular deletion of material.
By March 2021, Service NSW should:
3. ensure that all new agreements entered into with client agencies from 1 April 2021 address the deficiencies identified in this audit, including that they provide clarity on:
- the content and provision of privacy collection notices
- the terms by which personal information will be retained, stored, archived, and disposed of when no longer required
- steps that will be taken by each agency to ensure that personal information is kept secure
- the circumstances in which, and processes by which, applications for internal review will be referred by one agency to the other
- how identified breaches of privacy will be handled between agencies
4. in collaboration with the Department of Customer Service, review its privacy management plan to address the deficiencies raised in this audit, including:
- to clarify Service NSW's understanding of how responsibility for meeting privacy obligations are delineated between Service NSW and client agencies
- to better reflect the full scope and complexity of personal information handled by Service NSW
- to better explain how applications for internal review are handled between Service NSW and the Department of Customer Service
- to ensure regular ongoing review, either according to a schedule or when Service NSW experiences substantial change to its programs and handling of personal information
5. in consultation with the Department of Customer Service, review its policies and processes for the management of privacy risks, including to:
- ensure that there are appropriate mechanisms to escalate identified privacy risks from business units to the Executive Leadership Team
- ensure that there are action plans to address strategic privacy risks that are assessed as having ineffective controls.
By June 2021, Service NSW should:
6. address deficiencies in the controls over, and security for, its Salesforce customer relationship management and related systems that hold customer personal information, including:
- establish policies and processes for regular access reviews and monitoring of user activity in these systems, including for privileged users
- enable partitioning and role based access restrictions to personal information collected for different programs
- provide customers the choice to use multi factor authentication to further secure their MyServiceNSW accounts
- enable customers to view the transaction history of their personal information to detect possible mishandling.
By December 2021, Service NSW should:
7. ensure that all existing agreements with client agencies address the deficiencies identified in this audit, including that they provide clarity on:
- the content and provision of privacy collection notices
- the terms by which personal information will be retained, stored, archived, and disposed of when no longer required
- steps that will be taken by each agency to ensure that personal information is kept secure
- the circumstances in which, and processes by which, applications for internal review will be referred by one agency to the other
- how identified breaches of privacy will be handled between agencies
8. carry out a risk assessment of all processes, systems and transactions that involve the handling of personal information and undertake a privacy impact assessment for those that:
- are identified as high risk and have not previously had a privacy impact assessment
- have had major changes or updates since the privacy impact assessment was completed.
Appendix one – Responses from agencies
Appendix two – About the audit
Copyright notice
© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.
Actions for Stronger Communities 2020
Stronger Communities 2020
This report analyses the results of our audits of financial statements of the agencies comprising the Stronger Communities cluster for the year ended 30 June 2020. The table below summarises our key observations.
1. Financial reporting |
|
Quality of financial reporting | Unqualified audit opinions were issued for all agencies' 30 June 2020 financial statements. |
Compliance with financial reporting requirements |
The Treasury extended the statutory deadline for the submission of the 2019–20 financial statements. For agencies subject to Treasurer's Directions, Treasury required agencies to submit their 30 June 2020 financial statements by 5 August 2020. For other agencies, the deadline was extended to 31 October 2020. All agencies in the cluster met the revised statutory deadlines. Cluster agencies substantially completed the mandatory early close procedures set by NSW Treasury. However, nine agencies including the Department of Communities and Justice (the department) did not complete one or more mandatory requirements, such as assessing the impact of new and updated accounting standards. |
Financial implications of recent emergencies |
Emergency events significantly impacted cluster agencies in 2019–20. Our review of seven cluster agencies most affected highlighted some had incurred additional expenditure because of the bushfires and floods. Others lost revenue due to the COVID-19 pandemic. During the year these agencies collectively received additional funding of $1.1 billion from the State to respond to:
The Sydney Cricket Ground Trust, Venues NSW and Office of Sport lodged insurance claims of $51.3 million with the Treasury Managed Fund with respect to lost revenues from the pandemic. The losses were mainly due to event cancellations and covered various periods ranging from mid-March to 31 December 2020. The change in economic conditions caused by the COVID-19 pandemic resulted in the NSW Government cancelling the refurbishment of Stadium Australia it had previously approved in August 2019. Venues NSW wrote off $16.8 million of redevelopment costs during 2019–20. |
Restatement of the Sydney Cricket Ground valuation | The valuation of the Sydney Cricket Ground (the Stadium) included costs of $28.6 million which were not eligible for capitalisation. The financial statements were restated to reflect the reduction in the value of the Stadium and the asset revaluation reserve. |
Unresolved data quality issues in the VS Connect system |
The department continues to address significant data quality issues resulting from its implementation of the VS Connect system (the System) in 2019. The issues relate to the completeness and accuracy of the data transferred from the legacy system. The System is used by the department to manage its Victims Support Services (VSS) and for financial reporting purposes. An independent actuary helps the department estimate its liability for VSS claims. The actuary's valuation at 30 June 2020 was again impacted by the data quality issues. Consequently, the actuary adopted a revised valuation methodology compared to previous years. Recommendation (repeat issue): The department should resolve the data quality issues in the VS Connect System before 31 March 2021. |
AASB 16 'Leases' resulted in significant changes to agencies' financial position |
Cluster agencies implemented three new accounting standards for the first time in 2019–20. Adoption of AASB 16 'Leases' resulted in cluster agencies collectively recognising right-of-use assets and lease liabilities of $1.7 billion and $1.1 billion respectively on 1 July 2019. Significant misstatements in how lease related balances had been calculated were found in 17 of the 29 cluster agencies. The cluster outsources the management of most of its owned and leased property portfolio to Property NSW, but cluster agencies remain responsible for any deliverables under that arrangement. The misstatements were mainly caused by late revisions of key assumptions and issues with the accuracy and completeness of Property NSW's lease information. |
2. Audit observations |
|
Internal control deficiencies |
Our 2019–20 financial audits identified 191 internal control issues. Of these, two were high risk and almost one-third were repeat findings from previous audits. While repeat findings reduced by 5.7 percentage points in 2019–20, the number remains high. Recommendation (repeat issue): Cluster agencies should action recommendations to address internal control weaknesses promptly. Focus should be given to addressing high risk and repeat issues. |
Agencies response to recent emergencies |
The severity of the recent bushfires and floods meant natural disaster expenses incurred by emergency services agencies rose from $67.4 million in 2018–19 to $497 million in 2019–20. The COVID-19 pandemic presented unprecedented challenges for the cluster. Social distancing and other infection control measures disrupted the traditional means of delivering services. Agencies established committees or response teams to respond to these challenges. The department introduced measures to minimise the risk of the spread of COVID-19 amongst inmates in custodial settings. |
Managing excess annual leave |
Managing excess annual leave was a challenge for cluster agencies directly involved in the government's response to the emergency events. Employees in frontline cluster agencies deferred leave plans and many have taken little or no annual leave during the reporting period. Annual leave liabilities rose at the department, NSW Police Force, Fire and Rescue NSW, Office of the NSW Rural Fire Service, the Legal Aid Commission of New South Wales and the Office of the Director of Public Prosecutions. The combined liabilities increased from $620 million to $692 million or 11.6 per cent between 30 June 2019 and 30 June 2020. |
Implementation of Machinery of Government (MoG) changes |
Administrative Arrangement Orders effective from 1 July 2019, created the department of Communities and Justice and transferred functions and staff, together with associated assets and liabilities into the department from the former departments of Justice and Family and Community Services. The department continues to establish its governance arrangements following the MoG changes. Recommendation: The department should finalise appropriate governance arrangements for its new organisational structure as soon as possible. This includes:
|
Delivery of the Prison Bed Capacity Program |
The department continued to expand prison system capacity through the NSW Government's $3.8 billion Prison Bed Capacity Program. The department reported it spent $480 million on the Program in 2019–20. Six prison expansion projects were completed during the year, which added 1,660 new and 395 refurbished beds to the NSW prison system. Data from the department shows the number of adult inmates in the NSW prison system reached a maximum of 14,165 during the year. Operational capacity was 16,096 beds on 19 August 2020. |
This report provides parliament and other users of the financial statements of agencies in the Stronger Communities cluster with the results of our audits, our observations, analysis, conclusions and recommendations.
Agencies in the Stronger Communities cluster were significantly impacted by the bushfires, floods and the COVID-19 pandemic in 2019–20. Our 2019–20 financial audits of the seven cluster agencies most significantly impacted by the recent emergency events considered:
- the financial implications of the emergency events
- changes to agencies' operating models and control environments
- delivery of new or expanded projects, programs or services at short notice.
Our findings on these seven agencies' responses to the recent emergencies are included throughout this report. These agencies are:
- Department of Communities and Justice
- Fire and Rescue NSW
- NSW Police Force
- Office of the NSW Rural Fire Service
- Office of the NSW State Emergency Service
- Sydney Cricket and Sports Ground Trust
- Venues NSW.
The Department of Communities and Justice is the principal agency of the cluster. The names of all agencies in the Stronger Communities cluster are included in Appendix one.
Financial reporting is an important element of good governance. Confidence and transparency in public sector decision making are enhanced when financial reporting is accurate and timely.
This chapter outlines our audit observations related to the financial reporting of agencies in the Stronger Communities cluster for 2020, including any financial implications from the recent emergency events.
Section highlights
|
Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision making.
This chapter outlines our:
- observations and insights from our financial statement audits of agencies in the Stronger Communities cluster
- assessment of how well cluster agencies adapted their systems, policies and procedures, and governance arrangements in response to recent emergencies
- review of how the cluster agencies managed the increased risks associated with new programs aimed at stemming the spread of COVID-19 and stimulating the economy.
Section highlights
|
Appendix one – Timeliness of financial reporting by agency
Appendix two – Management letter findings by agency
Appendix three – List of 2020 recommendations
Appendix four – Status of 2019 recommendations
Appendix five – Selected agencies for review of response to emergency events
Copyright notice
© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.
Actions for 2016 - An overview
2016 - An overview
This report focuses on key observations and findings from 2016 audits and highlights key areas of focus for financial and performance audits in 2017.
Financial reporting | |
Observation | Conclusion |
Only one qualified audit opinion was issued on the 2015–16 financial statements of NSW public sector agencies, compared to two in 2014–15. | The quality of financial reporting continued to improve across the NSW public sector. |
More 2015–16 financial statements and audit opinions were signed within three months of the year end. | Timely financial reporting was facilitated by more agencies resolving significant accounting issues early, completing asset valuations on time and compiling sufficient evidence to support financial statement balances. |
NSW Treasury’s early close procedures in 2015–16 were again successful in improving the quality and timeliness of financial reporting, largely facilitated by the early resolution of accounting issues. For 2016–17, NSW Treasury has narrowed the scope of mandatory early close procedures. |
The narrowed scope of mandatory early close procedures may diminish the good performance in ensuring the quality and timeliness of financial reporting achieved in recent years. To mitigate this risk, NSW Treasury has mandated that agencies perform non-financial asset valuations and prepare proforma financial statements in their early close procedures. It also encourages them to continue with the good practices embedded in recent years. |
Although most agencies complied with NSW Treasury’s early close asset revaluation procedures we identified areas where they can improve. | Asset revaluations need to commence early enough to ensure all assets are identified and the results are analysed, recorded and reflected accurately in the early close financial statements. |
Number of misstatements | |||||
Year ended 30 June | 2015-16 | 2014-15 | 2013-14 | 2012-13 | 2011-12 |
Total reported misstatements | 298 | 396 | 459 | 661 | 1,077 |
All material misstatements identified by agencies and audit teams were corrected before the financial statements and audit opinions were signed. A material misstatement relates to an incorrect amount, classification, presentation or disclosure in the financial statements that could reasonably be expected to influence the economic decisions of users.
Significant matters reported to the portfolio Minister, Treasurer and Agency Head
In 2015–16, we reported the following significant matters to the portfolio Minister, Treasurer and agency head in our Statutory Audit Reports:
Appropriate financial controls help ensure the efficient and effective use of resources and the implementation and administration of agency policies. They are essential for quality and timely decision making.
In 2015–16, our audit teams made the following key observations on the financial controls of NSW public sector agencies.
Financial controls | |
Observation | Conclusion |
More needs to be done to implement audit recommendations on a timely basis. We found 212 internal control issues identified in previous audits had not been adequately addressed by 30 June 2016. |
Delays in implementing audit recommendations can impact the quality of financial information and the effectiveness of decision making. Agencies need to ensure they have action plans, timeframes and assigned responsibilities to address recommendations in a timely manner. |
Agencies continue to face challenges managing information security. Most information technology issues we identified related to poor IT user administration in areas like password controls and inappropriate access. | Agencies should review the design and effectiveness of information security controls to ensure data is adequately protected. |
We found shared service provider agreements did not always adequately address information security requirements. |
Where agencies use shared service providers they should consider whether the service level arrangements adequately address information security. |
Thirteen of 108 agencies required to attest to having a minimum set of information security controls did not do so in their 2015 annual reports. | The 'NSW Government Digital Information Security Policy' recognises the growing need for effective information security. With cyber security threats continuing to increase as digital services expand we plan to look at cyber security as part of our 2017–18 performance audit program. |
We identified instances where service level agreements with shared service providers were outdated, signed too late or did not exist. | Corporate and shared service arrangements are more effective when service level arrangements are negotiated and signed in time, clearly detail rights and responsibilities and include meaningful KPIs, fee arrangements and dispute resolution processes. |
Internal controls at GovConnect, the private sector provider of transactional and information technology services to many NSW public sector agencies were ineffective in 2015–16. We found mitigating actions taken to manage transition risks from ServiceFirst to GovConnect were ineffective in ensuring effective control over client transactions and data. | The Department of Finance, Services and Innovation should ensure GovConnect addresses the control deficiencies. It should also examine the breakdowns in the transition of the shared service arrangements and apply the learnings to other services being transitioned to the private sector. |
Maintenance backlogs exist in several NSW public sector agencies, including Roads and Maritime Services, Sydney Trains, NSW Health, the Department of Education and the Department of Justice. | To address backlog maintenance it is important for agencies to have asset lifecycle planning strategies that ensure newly built and existing assets are funded and maintained to a desired service level. |
Actions for Building the readiness of the non-government sector for the NDIS
Building the readiness of the non-government sector for the NDIS
The Department of Family and Community Services has managed the risks of the transition to the National Disability Insurance Scheme (NDIS) in New South Wales effectively by increasing the overall capacity of the non-government sector and investing in provider capability.
The National Disability Insurance Scheme (NDIS) is a major reform that aims to change the way disability support is provided and received. Responsibility for overseeing the system to support people with disability in New South Wales will transfer from the NSW Government to the National Disability Insurance Agency (NDIA), an independent statutory agency of the Australian Government. Eligible people with disability will receive individual funding from the NDIA and purchase support from their chosen service providers, rather than being referred to services funded or provided by government. The NSW Government will transfer all disability services it currently provides to the non-government sector.
Approximately 78,000 people received NSW Government-funded disability support in 2015–16 at a cost of around $3.3 billion. An estimated 142,000 people will have an individual NDIS support plan in New South Wales, with total funding rising to around $6.8 billion in 2018–19. NDIS trials began in New South Wales in 2013. The full scheme was introduced in July 2016 and is scheduled to be operating across the state by July 2018.
This audit assessed the effectiveness of the NSW Department of Family and Community Services' (the Department's) management of the risks of the NDIS transition in New South Wales. It focused on the Department's work to build the readiness of the non-government sector for the NDIS. To make this assessment, we asked whether:
- the Department supported the non-government sector to build capacity to meet the expected increase in demand under the NDIS
- the Department supported disability service providers in NSW to improve their capability to deliver NDIS services
- the Department's work to prepare for the NDIS has been coordinated with the Australian Government's NDIS readiness work.
In addition to the audit questions above, this audit identified principles governments should consider when building the capacity and capability of the non-government sector to deliver human services.
Conclusion
The Department of Family and Community Services has managed the risks of the transition to the NDIS in New South Wales effectively by increasing the overall capacity of the sector and investing in provider capability building initiatives. More work is needed to build the sector's capacity to provide services to people with more complex support needs and to help existing providers complete the transition to the NDIS successfully.
The Department expanded the capacity of the non-government sector over the past decade in a way that was consistent with NDIS objectives. The development of a national market and workforce for the NDIS is an Australian Government responsibility and the Department has supported the Australian Government's work. More targeted work will be needed to build the capacity of the non-government sector to provide services to people with the most complex support and access needs.
The Department invested in provider capability building by funding programs that were delivered in partnership with sector peak bodies. The larger programs were evaluated and received positive feedback, but many providers will need more support to transition to the NDIS. The overall impact of the programs on provider readiness for the NDIS is not clear because baseline information on provider capability was not collected and targets for improvement were not set.
The Department managed the transition coordination risks by establishing comprehensive governance arrangements, contributing to the Australian Government's sector development work through national policy coordination forums and sharing lessons from New South Wales.
Building the capacity of the non-government sector
The Department supported an increase in the capacity of non-government providers
The Department started building the capacity of the non-government sector before the NDIS was developed. This included moving services provided by government into the non‑government sector, funding early intervention and community-based disability support, and introducing some individual support packages. The Department checks that the business and operational systems of non-government disability providers are adequate. However, its understanding of the outcomes for people using the services is limited.
Service gaps are possible for people with more complex support or access needs
There are risks to the supply of services to people who have more complex support or access needs, including people who need specialist clinical support, people in remote areas, Aboriginal and Torres Strait Islander communities and culturally and linguistically diverse communities. The Department has supported the NDIA's initial market development work and funded some programs to help providers build their capacity to support these groups. However, there is a risk the market will not expand quickly enough to meet the increase in demand for services.
Sector sustainability depends on support from outside the disability services sector
The sustainability of funded disability services provided by the non-government sector depends on support from outside the sector. Most people with disability receive significant unpaid support from family members, so carers will play a key role in the sustainability of the NDIS. There are opportunities for organisations that do not provide specific disability services to contribute to sector sustainability by providing some NDIS services. To do this, many will need help to make their services more accessible and inclusive to people with disability.
Helping non-government providers develop their capability
The Department invested in capability building programs for providers
The Department has spent more than $30 million over six years on programs that aim to improve the capability of disability support providers. This work began before the NDIS was established and was adjusted to focus on NDIS readiness from December 2012. It was guided by an industry development strategy that was developed after consultation with the sector and delivered in partnership with sector peak bodies. This approach gave the sector some responsibility for developing its own capability, which is important because the sector will not receive support from the NSW Government after the transition to the NDIS.
The overall impact of the programs on the capability of providers is not clear
The overall effectiveness of the Department's spending on provider capability is not clear. The Department had some information on the general financial health and organisational capability of providers from previous industry development work. However, baseline information on provider capability was not collected before programs commenced and targets for improvements in provider capability were not set. Without this information, the Department cannot demonstrate clearly that the capability building programs it funded represent good value for money.
Most providers will need more support to transition to the NDIS effectively
In late 2015, the Department assessed the transition progress of providers in New South Wales. This assessment indicates almost one third of providers are highly likely to need additional assistance to transition to the NDIS successfully, with only 14 per cent unlikely to need further assistance. We conducted a survey of 299 providers in New South Wales in August 2016. Most reported that they feel they are on track to transition to the NDIS successfully. Sixty-two per cent said the Department-funded programs and resources they had used had improved their readiness for the NDIS. Fifty-four per cent said the changes made because of using these programs and resources had a lasting impact on their organisation.
Coordinating sector development
Governance systems and planning processes for the NDIS transition were established
The Department developed governance arrangements for the transition in New South Wales. It contributed actively to the development of national policy and strategy documents including a strategy for national market development.
The Department shared sector readiness lessons with the Australian Government
Two NDIS sector readiness programs funded by the NSW Government were later expanded to national programs through funding from the Australian Government. New South Wales only received around five per cent of the total Australian Government funding for NDIS sector readiness initiatives. A report by the Australian National Audit Office in 2016 found there was limited evidence of a strategic approach by the Australian Government when allocating this funding to states and territories.
The Department has monitored transition issues and mitigated these where possible
The Department has monitored administrative issues for providers, which have included the changes in funding arrangements and registering for the NDIS. It has taken action to mitigate these where possible, although some issues, such as the operation of NDIA administrative systems, are beyond its control.
The National Disability Insurance Scheme (NDIS)
The NDIS is a fundamental change to the disability support system
The NDIS is a major reform that aims to make significant changes to the way disability support is provided and received. Under the NDIS, the administration of funding for disability support in New South Wales will transfer from the NSW Government to the National Disability Insurance Agency (NDIA), an independent statutory agency of the Australian Government. The NSW and Australian Governments will both contribute to funding the NDIS. The size of the disability services sector in New South Wales is expected to more than double when the NDIS is fully operational (Exhibit 1).
Measure of sector capacity | Pre-NDIS (2015-16) | NDIS (2018-19) |
---|---|---|
Funding for services | $3.3 billion | $6.8 billion |
People receiving support | 78,000 | 142,000 |
Workforce required | 25,000-30,000 | 48,000-59,000 |
Number of providers | 699 | Determined by the market |
One of the main objectives of the NDIS is to increase the choice and control that people with disability have over the support they receive. Under the NDIS, people with disability receive individual funding packages which they can use to pay their chosen providers for the support they need, instead of being referred to services that are deemed appropriate for their needs. This is a fundamental change to the nature of disability support. Before the NDIS, people with disability were moved around the system according to decisions made by government or other organisations providing disability support. Under the NDIS, the funding will move around the system based on the choices people with disability make. The development of the new market for NDIS disability services is expected to take up to ten years because the changes to the system are so extensive.
In addition to increasing choice and control for participants, the NDIS aims to:
- improve outcomes for people with disability by intervening early to help reduce the need for support later in life
- increase integration by helping people with disability access mainstream government services such as health and education
- increase the involvement of people with disability in the community by making it easier to access community services such as sports clubs and community groups.
The transition to the NDIS is underway
The transition to the NDIS is underway in most Australian states and territories, following trials over the last three years. In New South Wales, a trial site was established in the Hunter area in July 2013. Early roll out of the NDIS began in July 2015 for people aged under 18 in the Nepean Blue Mountains area. On 30 June 2016, about 7,800 people had an NDIS plan in the Hunter trial site and around 1,800 people had a plan in the Nepean Blue Mountains area.
The full roll out of the NDIS began in about half of New South Wales in July 2016. The NDIS will start operating in the rest of the state from July 2017 and the transition is scheduled to be completed by July 2018 (Exhibit 2).
For the rest of the transition, the Department of Family and Community Services should:
- Work with the Australian Government, NDIA and other NSW Government agencies to identify gaps and develop the capacity of specialist clinical services, focusing on regional and rural areas.
- Continue to implement projects to increase the number of organisations that can support Aboriginal and Torres Strait Islander and culturally and linguistically diverse communities.
- Target remaining capability building assistance to less prepared providers, including via one-to-one support and mentoring in identified areas of weakness.
- Continue working with the Australian Government and the NDIA to ensure lessons from sector capability programs are shared.
Principles for developing the non-government sector
- Commence work to increase the capacity of the non-government sector early to allow time for service capacity to be built in a sustainable way.
- Decide whether to increase the capacity of the sector by supporting existing providers to expand their operations, attracting new organisations from outside the existing provider group, or some combination of these.
- Tailor approaches to supporting groups that have additional support or access needs because of cultural or geographic factors.
- Define the desired outcomes for people using services and, where possible, include outcomes in service delivery contracts.
- Invest in the sector by partnering with sector peak bodies to deliver capability programs.
- Include one-to-one support and mentoring in capability building programs where possible to improve the targeting of support to the specific needs of providers.
- Collect baseline information on provider capability before commencing programs and build robust tracking and evaluation into their design.
- Establish whole-of-government governance arrangements to ensure roles, responsibilities and accountability for delivery are clear.
Parliamentary reference - Report number #280 - released 23 February 2017
Actions for Responding to Domestic and Family Violence
Responding to Domestic and Family Violence
Organisations generally work together to improve the safety of victims when there is an overt and serious crisis, particularly where children are involved. There are no standard ways for victims and perpetrators to access help that might prevent ongoing violence and address underlying issues. This is particularly problematic where there are repeat victims and perpetrators, many of whom have complex mental health, drug and alcohol problems and are difficult to work with. New South Wales has trialled a number of projects to improve the way that organisations work together to support vulnerable people in particular communities.
Parliamentary reference - Report number #218 - released 8 November 2011
Actions for Solar Bonus Scheme
Solar Bonus Scheme
A NSW Auditor General’s Report has found that the NSW Government and its agencies grossly underestimated the cost and number of people that would install systems under the Solar Bonus Scheme.
By October 2010, the estimated cost of the Scheme, if it continued the way it was going, would have reached $3.988 billion. More than ten times the original estimate of $362 million. In response to the increased cost, the gross tariff for new applicants was reduced from 60 to 20 cents reducing the estimated cost to $1.954 billion.
It was a statutory requirement that when 50 mega watts of installed capacity was reached, the Government would review the Scheme. By the time the review was completed the installed capacity had reached 101 mega watts.
Actions for Two Ways Together - NSW Aboriginal Affairs Plan
Two Ways Together - NSW Aboriginal Affairs Plan
To date the Two Ways Together Plan (the Plan) has not delivered the improvement in overall outcomes for Aboriginal people that was intended. Stronger partnerships between the government and Aboriginal people are only beginning to emerge. The disadvantage still experienced by some of the estimated 160,000 Aboriginal people in NSW is substantial. For example, the unemployment rate for Aboriginal people is at least three times higher than the rate for all NSW residents and hospital admissions for diabetes are also around three times higher.
Parliamentary reference - Report number #213 - released 18 May 2011
Actions for Helping older people access a residential aged care facility
Helping older people access a residential aged care facility
Assessment processes for older people needing to go to an Residential Aged Care Facility (RACF) vary depending on the processes of the Aged Care Assessement Teams (ACAT) they see and whether or not they are in hospital. The data collected on ACAT performance was significantly revised during 2004 making comparisons with subsequent years problematic. ACATs have more responsibilities than assessing older people for residential care. It is not clear whether they have sufficient resources for this additional workload.
Parliamentary reference - Report number #160 - released 5 December 2006
Actions for Agencies working together to improve services
Agencies working together to improve services
In the cases we examined, we found that agencies working together can improve services or results. However, the changes were not always as great as anticipated or had not reached maximum potential. Establishing the right governance framework and accountability requirements between partners at the start of the project is critical to success. And joint responsibility requires new funding and reporting arrangements to be developed.
Parliamentary reference - Report number #149 - released 22 March 2006